• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Predator The Thief Malware – IoCs
December 30, 2019
Rewterz Threat Alert – Zeppelin: Russian Ransomware Targets High Profile Users
December 31, 2019

Rewterz Threat Alert – Malspam Pushes the Information Stealer ‘Lampion’

December 30, 2019

Severity

Medium

Analysis Summary

Email templates based on the Portuguese Government Finance & Tax are being used to push Lampion malware via malspam. Portuguese users were targeted with these emails that reported issues related to a debt of the year 2018. When the victim clicks on the links available in the email body the malware is downloaded from the online server. The downloaded file is a compressed file (.zip) called: FacturaNovembro-4492154-2019-10_8.zip.

As observed, after extracting the file, three files are presented.

The file “FacturaNovembro-4492154-2019-10_8.vbs” is the first stage of the Lampion’s infection chain. This is a Visual Basic Script (VBScript) file that is acting as a dropper and downloader. It downloads the next stage from the compromised server available on the Internet on an AWS S3 bucket.

The trojan Lampion uses anti-debug and anti-vm techniques. The use of a commercial protector known as VMProtector 3.x and also specially crafted codes make it difficult to analyze both on a sandbox environment or manually.

Impact

Exposure of sensitive information

Indicators of Compromise

MD5

  • 3350e74a4cfa020f9b256194eae25c12
  • e7bdce5505ee263530dea04c2fdc661f
  • 18977c78983d5e3f59531bd6654ad20f
  • 76eed98b40db9ad3dc1b10c80e957ba1

SHA-256

  • 418dbcf5f8d5ad7e16a0bb48c1e14cb269bf5bd814f0a70c3aa90ce787136047
  • f7a7a5144e72e83d4a12c9abc2a6a2875a23e6adce425fde2428b8f7b46b1a7e
  • eb3f2be571bb6b93ee2e0b6180c419e9febfdb65759244ea04488be7c6f5c4e2
  • 54b6af48991c5c03a5a905eeb5d922eef86678b2bfc3f77d784b3d91691837e1

URL

http[:]//100.26.189[.]49/PY/App[.]php?=5wzpz2e7xglkzmh

Remediation

  • Block the threat indicators at their respective controls.
  • Strictly avoid clicking on URLs found in untrusted emails.
  • Do not download files from untrusted emails or random sources on the internet.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.